Adobe : Serious XSS vulnerability reported... Update to Adobe 8 now !
Friday, 5. January 2007, 13:32:38
Serious XSS vulnerability reported... Update to Adobe 8 now !
A serious problem has been revealed in the behaviour of the popular Adobe Reader browser plugin software, allowing maliciously crafted links apparently pointing to genuine PDFs on trusted sites to run JavaScript code or perform other unwanted actions.
The hole, which involves unconventional use of the 'Open Parameters' functionality in Adobe's PDF handling system, has been found to be most serious when using the Firefox browser, and has been shown to work successfully under Windows XP and Linux operating systems. Adobe has been aware of the problem for some time and has included a fix for it in version 8 of the software, however earlier versions are still vulnerable to such attacks. A workaround is detailed in a blog entry from Symantec, which describes the ease of exploiting the flaw as 'breathtaking'.
Adobe is advising all users to upgrade to the latest version. The original disclosure of the vulnerability from researchers at WiSec is here. Several security firms have issued alerts and analysis on the problem, including alerts from Secunia and WebSense. Free downloads of Adobe Reader 8 are available here.
Original source :
Other links :
You must be logged in to write a comment. if you're not a registered member, please 
(25%)
